Whistle-Blower Faces FBI Probe

LAS VEGAS — The FBI is investigating a computer security researcher for criminal conduct after he revealed that critical routers supporting the internet and many networks have a serious software flaw that could allow someone to crash or take control of them.

This article has been reproduced in a new format and may be missing content or contain faulty links. Contact wiredlabs@wired.com to report an issue.

Mike Lynn, a former researcher at Internet Security Systems, or ISS, said he was tipped off late Thursday night that the FBI was investigating him for violating trade secrets belonging to his former employer.

Lynn resigned from ISS Wednesday morning after his company and Cisco threatened to sue him if he spoke at the Black Hat security conference in Las Vegas about a serious vulnerability he found while reverse-engineering the operating system in Cisco routers. He said he conducted the reverse-engineering at the request of his company, which was concerned that Cisco wasn't being forthright about a recent fix it had made to its operating system.

Lynn spoke anyway, discussing the flaw in Cisco IOS, the operating system that runs on Cisco routers, which are responsible for transferring data over much of the internet and private networks.

Although Lynn demonstrated for the audience what hackers could do to a router if they exploited the flaw, he did not reveal technical details that would allow anyone to exploit the bug without doing the same research he did to discover it.

Both companies knew in advance about Lynn's plan to talk and originally supported it. But at the last minute, the companies tried to halt the presentation or force Lynn to allow Cisco representatives to speak as well. They threatened Lynn with a lawsuit if he talked and made good on that threat after his appearance, when they filed a restraining order to prevent him from saying anything else about the flaw.

The company said the vulnerability was not new and that it had already patched the problem in April and sent revised software to customers. Lynn said, however, that Cisco did not tell customers exactly why the software was revised or indicate that the update was a critical patch. As a result, he said, system administrators didn't understand the urgency of the situation. Cisco denied that the flaw was as critical as Lynn said it was.

Prior to the talk, Cisco, with agreement from the conference organizers, hired temporary workers to rip out pages from a conference book that contained images of the slides from Lynn's presentation. They also replaced the conference CD-ROM with a new disc that was absent the presentation. This hasn't stopped people from obtaining the presentation, however: A site has posted it (.zip) for people to download.

The news of the criminal investigation came just hours after Lynn signed a settlement with Cisco and ISS releasing him from civil liability in exchange for meeting several conditions. Lynn was to provide a mirror image of all computer data he has and give it to a third party for forensic analysis. This was likely to determine if he had stolen proprietary information from ISS or Cisco or broken any other laws. His research material on the vulnerability would then have to be erased. Lynn also was prohibited from discussing the bug in the future.

"I was really mad at ISS before and now I'm extremely disappointed," Lynn told Wired News. "At this point, they're just trying to milk it for punitive damages. We already had a standing agreement, and now they're trying to attack me in some other way."

The FBI declined to discuss the case.

"Our policy is to not make any comment on anything that is ongoing. That's not to confirm that something is, because I really don't know," said FBI spokesman Paul Bresson.

But Lynn's lawyer, Jennifer Granick, confirmed that the FBI told her it was investigating her client.

Granick said, however, that she thought the agency was simply following through on a complaint it received when Cisco and ISS filed their lawsuit against Lynn and that the investigation wasn't initiated after her client reached his settlement with the companies. She didn't know the nature of the complaint but said it was probably something to do with intellectual property and that it most likely came from Cisco or ISS.

"The investigation has to do with the presentation," she said, "but what crime that could possibly be is unknown because they haven't found any (evidence against him)."

She hadn't spoken with the U.S. attorney in charge of the investigation but said she thought it was possible that the investigation would wind down soon for lack of evidence now that Lynn had reached an agreement with Cisco and ISS.

"There's no arrest warrant for (Lynn) and there are no charges filed and no case pending," Granick said. "There may never be. But they got a complaint and as a result they were doing some investigation."

Black Hat ended Thursday afternoon, but it's being followed by hacker conference DefCon, which runs Friday through Sunday in Las Vegas. Security professional Jeff Moss organized both conferences. Many of the same people who attended Lynn's talk, including FBI and other government agents who regularly attend security events, will be at the second conference as well.

Lynn said that if the case was not dropped, he thought it unlikely that the FBI would try to arrest him this weekend.

"I think they got burned with the Dmitry Sklyarov case," he said.

Sklyarov was a Russian programmer who, in 2001, reverse-engineered Adobe Systems' e-book software and handed out CD-ROMs at DefCon containing a program that would allow people to circumvent the copy protection in Adobe's digital books to download and read them without restriction.

The FBI, at Adobe's urging, arrested Sklyarov the morning after the conference ended before he returned home on charges that his activities violated the Digital Millennium Copyright Act. The move launched protests against Adobe, which resulted in a lot of bad publicity for the company. The government ultimately dropped its case against Sklyarov.

Granick said she did not think the FBI would arrest Lynn.

"Definitely not," she said. "I don't have any sense at all that that's where they're going. I don't know what the circumstances are under which anyone contacted the FBI. It may very well be that given that we settled the civil case yesterday, this is over. I'm hoping that's the case but if it's not, there's a lot of opportunity for people to be very concerned about it."

Here’s The Thing With Ad Blockers

We get it: Ads aren’t what you’re here for. But ads help us keep the lights on. So, add us to your ad blocker’s whitelist or pay $1 per week for an ad-free version of WIRED. Either way, you are supporting our journalism. We’d really appreciate it.